avoid xss attack on user picture

glpi-project · Jun 20, 2019 · c2aa7a7 · c2aa7a7
1 parent 6189eee
commit c2aa7a7
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/inc/user.class.php b/inc/user.class.php
@@ -550,6 +550,11 @@ function prepareInputForAdd($input) {
          return false;
       }
 
+      // avoid xss (picture field is autogenerated)
+      if (isset($input['picture'])) {
+         $input['picture'] = 'NULL';
+      }
+
       if (!isset($input["authtype"])) {
          $input["authtype"] = Auth::DB_GLPI;
       }
@@ -681,6 +686,11 @@ function post_addItem() {
    function prepareInputForUpdate($input) {
       global $CFG_GLPI;
 
+      // avoid xss (picture field is autogenerated)
+      if (isset($input['picture'])) {
+         $input['picture'] = 'NULL';
+      }
+
       //picture manually uploaded by user
       if (isset($input["_blank_picture"]) && $input["_blank_picture"]) {
          self::dropPictureFiles($this->fields['picture']);
@@ -2004,6 +2014,7 @@ function showForm($ID, array $options = []) {
       }
 
       if (!empty($this->fields["name"])) {
+
          echo "<td rowspan='4'>" . __('Picture') . "</td>";
          echo "<td rowspan='4'>";
          echo "<div class='user_picture_border_small' id='picture$rand'>";
@@ -4853,6 +4864,9 @@ static function checkDefaultPasswords() {
    static function getURLForPicture($picture) {
       global $CFG_GLPI;
 
+      // prevent xss
+      $picture = Html::cleanInputText($picture);
+
       if (!empty($picture)) {
          return $CFG_GLPI["root_doc"]."/front/document.send.php?file=_pictures/$picture";
       }
@@ -4872,6 +4886,9 @@ static function getURLForPicture($picture) {
    static function getThumbnailURLForPicture($picture) {
       global $CFG_GLPI;
 
+      // prevent xss
+      $picture = Html::cleanInputText($picture);
+
       if (!empty($picture)) {
          $tmp = explode(".", $picture);
          if (count($tmp) ==2) {